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DETAILED ACTION 

Election/Restrictions 

This application contains claims drawn to inventions nonelected with traverse in 
Applicant's remarks dated March 8, 2006. A complete reply to the final rejection must include 
cancellation of nonelected claims or other appropriate action (37 CFR 1.144) See MPEP 
§821.01. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 9 and 32-38 are rejected under 35 U.S.C. 103(a) as being unpatentable over Smith 
(U.S. 6,529,956). r 

As per claim 9, Smith teaches a method comprising the steps of: retrieving data for a 
web page document including a URL of one or more resources referenced in the web page 
document (column 2, lines 25-40; where in the process of generating the PURL, the document 
URL is retrieved to be presented along with the web page document); retrieving resource access 
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right data for the URL using the IP address of the WAD and/or user name and password 
established through a login procedure (1 1; 62-65, 13; 60-65, 15; 57-62, 16; 15-25); generating 
hash and/or encrypted data to generate secure resource access right data (5; 40-60); combining 
the secure resource access right data with the respective URL to generate a secure URL (2; 25- 
40, 11; 39-54, 17; 20-27); generating a document including the secure URL that can be used to 
generate a request for the one or more resources (2; 25-40, 16; 35-59); and transmitting the 
document including the secure URL to the WAD (11; 39-54, 2; 25-40). Smith teaches receiving 
a signal at a web server requesting a web page document from a WAD, the signal including an IP 
address of the WAD, and that the secure URL is transmitted to the user, but does not specifically 
teach that the document with the secure URL is a web page document, that the request is made 
before the generation of the secure URL, and that the initial request is the trigger for the process 
of URL generation. It would have been obvious to one of ordinary skill in the art at the time of 
the invention to include the ability to have a user-triggered PURL generation to allow for the 
user to have control if he/she wants to access a certain sensitive document. This would lead to 
further diversity of the invention, such that secure URLs can be generated on an as-needed basis, 
but would still be subject to the verification of data access rights. Further, the use of a web page 
document to transmit the secure URL constitutes a design choice. Given that Smith has 
anticipated the generation of secure URLs using user-information, it would have been obvious to 
one of ordinary skill in the art to extend this teaching such that the user initiates the generation of 
the secure URL. 

As per claim 32, Smith teaches a method comprising the steps of: receiving a signal 
requesting access to a resource, the request signal including a URL, secured resource access right 
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data, and an IP address of a device requesting access to the resource, and hash data, wherein the 
request signal was generated from a link containing a secure URL combining the hash data, 
URL, and secured resource access right data (13; 33-46, 15; 30-40); verifying whether key data 
is valid based on data corresponding to the key data in a secure content key database (13; 60-65); 
if the key data is verified as valid in step (b), generating hash data based on at least the key data 
(15; 57-62, 16; 15-25); and verifying that the hash data generated matches the hash data included 
in the request signal received (15; 30-40). Smith does not specifically teach that the request 
signal is generated from a web page, and that the verification steps take place in response to 
receiving the signal. It would have been obvious to one of ordinary skill in the art at the time of 
the invention to include that the verification process of receiving a signal takes place after 
receiving the signal. The motivation for doing so lies in the fact that the verification would allow 
for enhanced security, such that if a user used a link erroneously obtained, there exists safeguards 
to prevent the user from accessing private data meant for a different user. Given that Smith 
already teaches the tracking of IP addresses to prevent wrong EP addresses from accessing the 
data corresponding to the PURL, and the verification of hash data, it would have been obvious to 
one of ordinary skill in the art to specifically dispose this teaching as claimed. Further 
motivation is also discussed in the treatment of claim 1 . Smith does not specifically teach that 
the hash data is generated based on the IP address and URL. It would have been obvious to one 
of ordinary skill in the art at the time of the invention to include that the IP address and URL are 
used to form hash data. Given that Smith teaches the use of an IP address as an enforcement tool 
for security, such that only valid IP addresses are allowed to access the data, it would have been 
obvious to one of ordinary skill in the art to use this and the URL to form hash data, as it would 
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enable another level of security, such that non-matching hash data is disallowed access to the 
documents. Further the use of these entities to form hash data is well known in the art of access 
control, and therefore its specific inclusion would have been obvious to one of ordinary skill in 
the art in view of Smith. 

As per claim 33, Smith teaches the method as claimed in claim 32, further comprising the 
steps of: terminating the request signal if the verifying of the step (d) indicates that the hash data 
generated in the step (c) does not match the hash data included in the request signal received in 
the step (a) (13; 60-65). 

As per claim 34, Smith teachesthe method as claimed in claim 33, further comprising the 
steps of: determining whether access to a resource is to be provided to a device identified by the 
EP address, based on the resource access right data included in the request signal (15; 57-62, 16; 
15-25); and providing access to the resource to a device identified by the EP address if the 
determining of the step (f) indicates that access to the resource is to be provided (15; 57-62, 16; 
15-25). 

As per claim 35, Smith teaches the method as claimed in claim 34, further comprising the 
steps of: retrieving resource access right data from a database, the determining of step (f) based 
further on whether the IP address of the request signal is authorized to access the resource 
indicated by the URL of the request signal, based on the retrieved resource access right data (13; 
60-65). 

As per claim 36, Smith teaches the method as claimed in claim 32, wherein the request 
signal received in step (a) includes key index data, the method further comprising the step of: 
retrieving the key data from the secure content key database using key index data (13; 32-46). 
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As per claims 37 and 38, Smith teaches the method as claimed in claim 32, but does not 
specifically teach time-to-live considerations in dealing with the validity of key data. Official 
notice is taken that the consideration of time-based data in creating and using keys is well known 
in the art of key generation and manipulation (Please see paragraph 373 of U.S. 2004/0170176, 
as an example). It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include time-to-live considerations in the system of Smith, to allow for situations 
where sessions may be timed out, so that security is maintained. 

Response to Arguments 



Applicant's arguments filed on December 8, 2006 have fully been considered. 

a. Applicant asserts that key data verification takes place for a sender of a document and 
not a recipient. Examiner respectfully disagrees. The keys in Smith are used for communication 
in both ways, such that the sender can be subject to key verification, and that the user of a link is 
also subject to key verification (column 15, lines 30-41; column 16, lines 25-35; where the 
teaching of a requestor being subject to a key is discussed). Further, the entity subject to key 
verification is irrelevant with regard to the claim language, as it does not discuss whether the 
recipient or sender should be subject to it. 

b. All remaining arguments are respectfully traversed by the new grounds of rejection. 

Conclusion 



V 
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Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 . 136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tanim Hossain whose telephone number is 571/272-3881. The 
examiner can normally be reached on 8:30 am - 5 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Jason Cardone can be reached on 571/272-3933. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Tanim Hossain 
Patent Examiner 
Art Unit 2145 
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